If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

The javscript in that script block simply will not run at all. The show main page function is supposed to show the logged in user's profile by loading it into the content_section div in index.php. Here is the js file code for that function:-

Yep I've put the json code you provided into my login() function as shown in my last post, so do you mean I also need to query the database within that function before I pass everything on to login_script.php?

It's meant to replace your existing AJAX call -- not add to it. The new script tag will reference an external script to be generated by login_script.php. Thus, login_script.php should be printing/echoing ONLY JavaScript, what would be found in a normal external JavaScript -- NO HTML WHATSOEVER!

So, you need to replace all existing output in login_script.php with JavaScript output. If you were to put all of your actual authentication code in another script, for example, call it auth.inc, and write an authenticate() function that takes in a user and password and modifies the session accordingly, your login_script.php would look like this, in its entirety:

PHP Code:

<?php

require_once("auth.inc");

// try to authenticate the user -- trust that the authenticate() function// is doing all of the necessary data sanitizationauthenticate($_GET['user'], $_GET['pass']);

// see whether a user_id has been set in the session and call the appropriate// client-side methodif (isset($_SESSION['logged_in_userid']) && $_SESSION['logged_in_userid']) { print "showMainPage({$_SESSION['logged_in_userid']}, 'profile');";} else { print "showLoginError('Invalid credentials');";}

?>

From the browser's perspective, it sees one of the following:

login_script.php?user=username&pass=invalidpass&ts=3234234:

Code:

showLoginError('Invalid credentials');

login_script.php?user=username&pass=correctpass&ts=3234456:

Code:

showMainPage(23422, 'profile');

You just need to ensure that both showMainPage() and showLoginError() are defined to display the correct thing to the user. To start with, I would suggest having each of them simply alert() their first parameter to ensure they're even getting called.

Single-use tokens are generally a good idea -- yes. POST requests are not an option with JSONP though. Not something I would be terribly worried about though. If someone can snag your token, they can just as easily forge a POST request. And even in that case, the worst they can do is authenticate!

If you're worried about someone brute-forcing your users database, the best solution is usually just to implement some kind of rate-limiting. You would probably want some combination of limits on failed requests by IP, session, and intended user.

Single-use tokens are generally a good idea -- yes. POST requests are not an option with JSONP though. Not something I would be terribly worried about though. If someone can snag your token, they can just as easily forge a POST request. And even in that case, the worst they can do is authenticate!

If you're worried about someone brute-forcing your users database, the best solution is usually just to implement some kind of rate-limiting. You would probably want some combination of limits on failed requests by IP, session, and intended user.

I was meaning to POST the results (through AJAX) and receive the single use token with which to call the JSONP as a JSON object. This would allow you to use the more secure POST along with the ease of use of JSONP.

Hence I don't want the email and password to be submitted which is why I used the return false in the onclick property. I only want them to be passed to a javascript function and dealt with from there i.e. no page refresh. I'm not sure how this could work with the code you provided.